We Have the Capabilities to Persevere and Reach the Next Level of Security Maturity
For obvious reasons, perseverance has been the theme for 2020 and will continue well into 2021. In the security industry it has been our watchword for decades, so in a sense this is nothing new. But how we have persevered has evolved through the years, and now we have the capacity to reach new levels of security operations maturity.
The early days of cybersecurity played out largely as a game of cat and mouse. As more effective security defenses emerged, attackers responded with innovative techniques aimed at evading these evolving defenses. When it became obvious that it was no longer a matter of if, but when and how we’d be attacked, defenders persevered by innovating technologies and services aimed at detection and response – from endpoint and network solutions to phishing detection, threat intelligence management and sandboxing solutions as well as managed detection and response services.
Over the past few years, we’ve seen a movement towards the construct of a single security architecture to accelerate detection and response. In 2016, ESG started using the term Security Operations and Analytics Platform Architecture (SOAPA) and it is looking more and more relevant. Product categories like SOAR solutions have steadily gained traction in real-world use. And in 2020, Extended Detection and Response (XDR) solutions started being touted as the number one trend CISOs should understand to increase detection accuracy and improve security operations efficiency and productivity.
So, how should we continue to push our security operations forward in 2021 and beyond?
At each point in our evolution of maturity, we’ve built on the core capabilities we have. Take XDR for instance, which requires separate tools to work together for detection and response. Initial offerings have focused on a single vendor approach; however, this is problematic because no one organization is starting with a clean slate and different departments with different budgets and teams are using different solutions.
We will never get to full maturity without systems being able to talk to each other – not only to reap the full value of SOAPA, SOAR and XDR, but to start mastering advanced areas like threat hunting. On the detection side what’s required is the ability to tap into a common language to understand and efficiently use all the structured and unstructured data available from an organization’s internal and external sources. On the response side, tools must be integrated so that either automatically or with human assistance the right data can be sent back to the right tools across the ecosystem for effective action.
This is how we should continue to persevere in 2021 and beyond – with customization and integration – and in so doing we will enable new levels of maturity.
Findings from the new SANS 2020 Threat Hunting Survey support this.
• Normalizing data from external feeds and quickly correlating with internal threat data for victimology, is at the core of threat hunting. Yet 48% of hunting teams are storing threat intelligence in unstructured files (i.e., PDFs, text files, spreadsheets) and 36% are manually applying the threat intelligence they have collected.
• With respect to integration, only 6% of the respondents say that their hunters and analysts can work within one consolidated system. Since staff wear different hats, reducing the number of different platforms or systems that hunters and analysts need to move between is particularly important for increasing productivity and effectiveness.
• Automation is essential to offload simple, known tasks and empower humans to do more advanced tasks more efficiently. Although many threat hunters use automation, only 49% feel that the tools do what human operators need to assist their hunts. According to SANS researchers, dissatisfaction often goes back to poor customization or integration of a tool.
As we look ahead to where we can focus our efforts to push security operations forward, the path is clear. We must move towards a single, collaborative environment that can include threat hunters, incident handlers and threat intelligence and SOC analysts. Combining external and internal threat and event data to build a broader picture of what is happening within their unique ecosystems, security staff can gain and share a deeper understanding of relevant activity. Without having to switch between tools, they can quickly assess and focus on advanced threats and make better decisions with more confidence. With the right data they can apply automation to an entire process or just select aspects, from curating intelligence to hardening the sensor grid.
2021 will have its own set of unique challenges. But the good news is that we have the capabilities to persevere and reach the next level of maturity – taking the right actions faster to proactively strengthen security posture.